From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 31648 invoked from network); 7 Aug 2021 03:08:12 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 7 Aug 2021 03:08:12 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1628305692; b=NQyz0IUXN8Cdq0hnjBZ85S4ZA1EzGp2nk8AmBpGa/hX2oMwC/KtmXMmvtk1ivxk/N3/OaWPw9k z+AetdwV8g37pXKJBZwNHCMKRxnoQUkOBaUTiGz+/7qOrX69wR0AQ50ZFf808H5B7iUiC32ao0 WBk/c85Dm+F7QmdU+0xqSb0QtQd0h0+iKc1Ja/KFwd5/wzbXRrmFxlfiADvadmnkpmZkQd+vvh ZJUsL4yMNht9C9nBV4hvEuEeE4uVLOHSrvafLZ/VllXqlDC6exOAIRi4dqZvyEDVeHXx1gQghL xatW58fm8YROAmjC4c42jQHyDVOL0sBF2r2rIwsM/hz/zQ==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (a.mx.sigpipe.cz) smtp.remote-ip=37.221.242.114; dmarc=none header.from=sigpipe.cz; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1628305692; bh=UAOLfBLhmp4y4vE6IMfHYngMCAUQYjsHACffVN0DN0U=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Content-Type:MIME-Version:Message-ID:Subject:To:From:Date: DKIM-Signature; b=sfNlW1Fbtc2jAHTKbcjyk+woEHOLA6pLNvzDhwId1taOZdhJdKjsDmXo11W5rCok962OOKuO83 uANlQmHTUvz4EEoOsUxmXQp64AbPtOVx4GPxeoRfhDfDe9OJw9VmyI6l1iETzslZp40wz5+ZXu /PIvhfOTEroIe9p5xSr9JLz/PNO4g7aQagcjjI4sDMN4M55+82hNIJue1UaE+7qPwZzYyRLI8R rVKiAgDVjO/rrVPwaqQitEr4UiFLWSuYvwxpc7RDBKABMIX9sMMoCWVl214eR2190YajH7u5zD C/dh0MKXdw/X6i0v650s3W986MmiLbcOlnsm60Bak3SuHA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References; bh=12/aipdYekvg3w3UN8XBTwKLpFSp6cgE6aRzXoiahII=; b=Zeh/BIZ44mfo4UhUWolz+FnwNR Q7Uao8599qSLeIr4BrNUCaVstzYPRPg4hy0YZFsCdaXCUeYPRa7t9clHmm5vRKoGhiEcOQIPmMgcB 7YhR9x6M8pJmcWvb2chDC+SZWWc1g+2+SYv4GJNoaQHmFZ+6POH0WLBRsYlzuXB6H1q+wkmpLqW7l iBSi96S4o3Ga15arKwKL+Ym63vus4Xn+Q5bkSJOHdFzA3nw8fvbidkoxCEifknMYx7whHEj9BiBtW OhYUm5vD+8UVcPK6ChVMsGfs9/YUQVYHH5yMxypK/IU6KKE0BFQ0w6bPf5oMg9oWtTVl4n957xw/F AAxc1a0A==; Received: from authenticated user by zero.zsh.org with local id 1mCCgz-000OrY-5x; Sat, 07 Aug 2021 03:08:09 +0000 Authentication-Results: zsh.org; iprev=pass (a.mx.sigpipe.cz) smtp.remote-ip=37.221.242.114; dmarc=none header.from=sigpipe.cz; arc=none Received: from a.mx.sigpipe.cz ([37.221.242.114]:2714) by zero.zsh.org with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256) id 1mCCfi-000OA7-QT; Sat, 07 Aug 2021 03:06:51 +0000 Received: by a.mx.sigpipe.cz (Postfix, from userid 1001) id A002E155503773; Sat, 7 Aug 2021 05:06:49 +0200 (CEST) Date: Sat, 7 Aug 2021 05:06:49 +0200 From: Roman Neuhauser To: zsh-users@zsh.org Subject: questions re: NO_PROMPT_PERCENT Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Seq: 26873 Archived-At: X-Loop: zsh-users@zsh.org Errors-To: zsh-users-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-users-request@zsh.org X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: i was playing with my prompt settings, and arrived at a place where i was setting PROMPT to a value with no remaining %-sequences to expand (i was trying to achieve a particular visual effect which depends on the contents of the expanded prompt). prompt-git-info # populates $git_info declare -a bits=("%(!~ "!%!" "?%?" "%%""%j" "%3~" "$git_info") declare -a s=("%B" "%S") # vvvvvvvvvvvvvvvvvvvv declare tmp="${(%j: :)bits}" # insert more %-sequences between characters in $tmp # ^^^^^^^^^^^^^^^^^^^^ PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} " if i'm reading this situation correctly (am I? honest question!), a malicious repository could use PROMPT_PERCENT to paint over my prompt with fake data (`ESC [ Ps G` for a start), and what i should be doing instead is # vvvvvvvvvvvvvvv setopt nopromptpercent # ^^^^^^^^^^^^^^^ declare -a bits=("%(!~#~:)" "!%!" "?%?" "%%""%j" "%3~") declare tmp="${(%j: :)bits}" # vvvvvvvvvvvvvvv tmp+=" ${(V)git_info}" # ^^^^^^^^^^^^^^^ # insert more %-sequences between characters in $tmp PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} " BTW, i'm not much of a target and i don't think my PROMPT would be the anyone's first choice of an attack vector against me, but please humor me. so i tried turning PROMPT_PERCENT off, and ended up with broken * completion * corrections * xtrace (i know, PS4) and possibly more (i know about select) but i didn't look further and reverted, the completion system must be using a mix of print -P and ${(%)..} (the latter is unperturbed by the setting) since the terminal gets unusable promptly, pun intended. (the shell loses track of the cursor.) i looked at the code history, the option goes beyond 1999, and mere git log / git grep does not give much detail about behavior expected back then; eg. it's possible print -P didn't even exist back then. % git grep -i -e percent c175751b5 -- ChangeLog c175751b5:ChangeLog: Src/options.c, Src/prompt.c, Src/zsh.h: Options PROMPT_PERCENT (there's no Src/ in the c175751b5 tree as far as i can see) my questions are: * is there a meaningful difference between set +o promptsubst; PROMPT="... $var ..." and set -o promptsubst; PROMPT='... $var ...'? * is my understanding of PROMPT being susceptible to malicious data substituted directly as above correct? what are effective mitigations? does ${(V)} really have me covered under PROMPTSUBST? what are the limits imposed by %{...%}? the manual says it "should not change the cursor position", a quick test suggests it would be better worded as "will not be allowed ..."? this deserves more detail in the text. * does the topic deserve better coverage in the manual? i'm convinced it does. * would everyone (is there one?) using nopromptpercent raise their hand? please describe your interactive use of zsh 5.x with nopromptpercent! * i keep praising zsh for its conservatism, but screw 1999, what is the *goal* of the setting *today*? ie. is the impact NOPROMPTPERCENT has on CORRECT expected? is it *desired*? why? what are the $REASONS in "displaying the CORRECT prompt without substituting %R or %r is a major goal of this option because $REASONS"? i mean, if CORRECT is a security concern (how?) then there's NOCORRECT, no? * why does it affect `print -P`? * why does it *not* affect the % parameter expansion flag? -- roman